How to Configure Failover with SSL Enabled

CA SiteMinder® Federation Standalone Guide › Failover Support for Federation System › How to Configure Failover with SSL Enabled

How to Configure Failover with SSL Enabled

You can enable SSL in a failover environment whether your federation system is sitting behind a load balancer or a proxy server. There are specific configuration instructions for this type of setup.

Configuring SSL-enabled failover requires the following tasks:

Installing CA SiteMinder® Federation Standalone on at least two systems.
Running the Configuration wizard on the two federation systems.
Enabling SSL for the embedded Apache Web Server (only if the federation system is behind a load balancer).
Migrating the SSL configuration from the primary to the secondary system (only if the federation system is behind a load balancer).
Setting up a proxy server or load balancer that will manage failover of the federation systems.

We recommend that you configure each federation system before configuring failover for the proxy server or load balancer.

Configure SSL-enabled Failover Behind a Load Balancer

You can configure the system to sit behind a TCP load-balancer. The load balancer passes the requests to the system, which then handles the server-side SSL processing.

Follow these steps:

Install the product on each system, specifying the same Federation Administrator Password for each installation.
Note: The product can run in standalone or proxy mode, but the primary and secondary server must use the same mode.
Run the Configuration wizard and use the same database connection information for both systems.
The Configuration wizard prompts for the Apache Configuration information. Specify the same virtual host name in the Server Name setting for the primary and secondary federation systems. Both systems must use the same virtual host name.
If the product is using more than one virtual host or domain, modify the server.conf file for the proxy engine. The server.conf file must list all host names and domains. Add the names to the hostnames field of the Default VirtualHost.

To edit server.conf
1. Navigate to the following directory:
  Windows: federation_install_dir\secure-proxy\proxy-engine\conf
  
  UNIX: federation_install_dir/secure-proxy/proxy-engine/conf
2. Open the server.conf file in an editor.
3. Go to the # Default Virtual Host section and add the names to the hostnames setting using a fully qualified URL, as follows.
  <VirtualHost name="default">
  
  hostnames="virtualhost1.example.com, virtualhost2.example.com"
  
  </VirtualHost>
  
  Note: You can specify multiple URLs for the hostnames setting, separating each entry with a comma.
Log in to the Administrative UI.
Click Infrastructure, System Settings.
Change the Global Base URL to include the host and port of the Proxy Server or load balancer in your federated network. Setting this URL helps ensure that the default URL for all entities in any partnership is correct.
To modify the server.conf file
1. Navigate to federation_install_dir/secure-proxy/proxy-engine/conf.
2. Open the server.conf file in an editor.
3. Go to the # Default Virtual Host section.
4. Add the base URL to the hostnames setting using fully qualified host names, as follows:
  <VirtualHost name="default">
  
  hostnames="defaultbaseurl.example.com:80, newbaseurl.example.com:80"
  
  </VirtualHost>
Note: Specify multiple host_name:port entries for the hostnames setting, separating each entry with a comma.
Enable SSL for the embedded Apache Web Server on the primary federation system.
Migrate the Apache SSL configuration to the secondary system in the failover deployment.
At the load balancer, configure multiple IP addresses for the same host name, which map to the federation system.

More information:

Install CA SiteMinder® Federation Standalone

Migrate the SSL Setup to the Secondary System

After the Apache SSL is configured at the primary CA SiteMinder® Federation Standalone machine, it can be migrated to the secondary machine behind the load balancer.

Note: This procedure does not apply if CA SiteMinder® Federation Standalone is behind a proxy server.

Ensure that the following criteria is met:

Same certificate is used for each CA SiteMinder® Federation Standalone machine.
Each CA SiteMinder® Federation Standalone machine must be configured with the same host name.
CA SiteMinder® Federation Standalone is accessed through a load balancer.
All machines must be of the same platform (Windows/Solaris/Linux).

To copy the SSL configuration to the secondary machine

Enable Apache SSL on the primary CA SiteMinder® Federation Standalone machine. Once enabled, the following components are available:
- SSL server cert
  federation_install_dir/secure-proxy/SSL/certs/server.crt
- CA bundle
  federation_install_dir/secure-proxy/SSL/certs/ca-bundle.cert
- SSL server key
  federation_install_dir/secure-proxy/SSL/keys/server.key
- certificate request file
  federation_install_dir/secure-proxy/SSL/keys/fedmgrsslcertrequest.pem
- SSL properties file
  federation_install_dir/config/fedmanager.properties
Import the CA certificate that signed the SSL Server Certificate to the secondary machine. Use the Administrative UI to import the certificate.
This certificate should be imported before or during the SSL configuration process on the primary machine. It is recommended that you use the same alias as was used for this certificate on the primary machine.
Copy each of the files listed in step 1 to the same locations on the secondary machine. The folders should already exist.
Note the following:
- The secondary machine should already have a copy of ca-bundle.cert. That copy should be backed up or deleted; the new copy from the primary machine has additional data that the secondary machine requires.
- Copying the certificate request file (fedmgrsslcertrequest.pem) is only required if you want to retrieve it using the Administrative UI on the secondary machine. If not, do not copy the file.
- The SSL properties file should contain at least the following two properties:
  - fedmgr.ssl.enabled, set to Y.
  - fedmgr.ssl.ca.alias, set to the alias of the CA that signed the SSL server certificate request.
  - If you used a different alias when importing this certificate on the secondary machine, update this property with the alias value you actually used.

The configuration is now migrated and you can activate SSL on the secondary system.

Activate SSL on the Secondary Failover System

After migrating the Apache SSL configuration to the secondary system, enable SSL.

To activate SSL on the secondary machine (Windows)

Open a command prompt window on the secondary machine.
Navigate to the federation_install_dir/secure-proxy/httpd/bin folder.
Execute the following command:
configssl.bat -enable
Stop and restart the CA SiteMinder® Federation Standalone services using the following shortcuts:
If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.
- Start, All Programs, CA, Federation Standalone, Stop services
- Start, All Programs, CA, Federation Standalone, Start services

To activate SSL on the secondary machine (UNIX)

Navigate to the federation_install_dir.
Shut down CA SiteMinder® Federation Standalone services by executing the command:
./fedmanager.sh stop
Restart CA SiteMinder® Federation Standalone services in SSL-enabled mode by executing the command:
./fedmanager.sh startssl
When prompted, enter the Administrative UI password to enable startup of the Apache web server in SSL mode.

Configure SSL-enabled Failover Behind a Proxy Server

If CA SiteMinder® Federation Standalone is behind a proxy server, the proxy server handles the SSL processing. CA SiteMinder® Federation Standalone cannot process SSL because many proxy servers cannot delegate the processing of SSL requests to other systems. Consequently, configure the proxy server with the server certificate and the CA certificates that signed the server certificate and any remote client certificates.

There is no specific SSL configuration required on the CA SiteMinder® Federation Standalone machines sitting behind the proxy server.

Set up the Proxy Server or Load Balancer for Failover

You can direct a proxy server or load balancer to failover to CA SiteMinder® Federation Standalone.

Note: The administrator of the proxy server or load balancer must know how to set up failover for the system in the deployment.

Follow these steps:

Identify one CA SiteMinder® Federation Standalone system as the primary host and the other as the secondary host.
Do not configure load balancing for the systems.
Configure the proxy server or load balancer for the CA SiteMinder® Federation Standalone deployment, making sure to pass the following URLs to the CA SiteMinder® Federation Standalone systems:
- /affwebservices/*
- /siteminderagent/*
These URLs enable the proxy server or load balancer to balance traffic between the CA SiteMinder® Federation Standalone systems.

The proxy server or load balancer is now configured.